System Binary Proxy Execution: Verclsid

Created the Sunday 05 March 2023. Updated 6 months, 4 weeks ago.

Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.

Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.

Technique Identifier

T1218.012

Technique Tags

Defense Evasion verclsid.exe Extension CLSID Verification Host verifying shell extensions execute malicious payloads verclsid.exe /S /C {CLSID} COM objects bypass application control solutions download malicious scripts execute malicious scripts

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

System Binary Proxy Execution: Verclsid, Sub-technique T1218.012 - Enterprise | MITRE ATT&CK®